You have likely noticed that viewing Remote Desktop sessions and related details has become increasingly difficult. This is largely a result of some recent developments: There was the overhaul of Remote Desktop Services in Windows Server 2012 R2 and later server operating systems. Then, there’s the emergence of Windows Virtual Desktop in Azure.
Microsoft removed the old TSAdmin utility in Windows Server 2012 R2, replacing it with the often cumbersome Remote Desktop Services Manager in the Server Manager utility. It is scarce in detail regarding these sessions, and it does not scale well in larger environments. In addition, attempting to shadow remote desktop sessions with MSTSC often does not work as expected, especially with multiple monitor sessions.
And what about viewing Remote Desktop sessions in Windows Virtual Desktop? Well, you don’t get much of a break there either. Currently, you must use the Windows Virtual Desktop control plane in the Azure Portal, which is even more feature limited than the Remote Desktop Services Manager in Server Manager for classic RDS deployments.
At RDPSoft, we identified these pain points many years ago, and created an assortment of free and commercial solutions to solve these problems. Here are three different ways we’ve made viewing Remote Desktop sessions easier:
Viewing Session Properties Such as Idle Time, Connect Time & More
Users of our free Remote Desktop Commander Lite utility can quickly view sessions connected to their terminal servers, RDS collections, and WVD hosts, and then perform management actions like logging off disconnected or hung users, sending messages, checking on the quality of their connection, and much more.
Some of the available properties of the displayed remote desktop sessions include:
- Username
- Server Name
- Winstation Name
- Client IP
- Client Build Number
- State [Active/Disconnected]
- Idle Time
- Connect Time
- Session ID
- RDP Bandwidth
Viewing Remote Desktop Session User Activities in Real Time With SuperShadow
Of course, some organizations need to view what users are actually doing inside their remote desktop sessions in order to assist them in a support session, or to audit their work in accordance with policy. If so, our Premium Management Features solution is a very affordable way to do so, giving admins, help desk workers, and managers the ability to view and remote control remote desktop sessions in RDS and WVD with ease.
Multiple remote desktop sessions can be viewed and/or interacted with at the same time inside the MiniView dock, and specific sessions can be brought into sharper focus with powerful resizing features.
Viewing Session Activity On a Historic Basis To Analyze Performance & Monitor User Activity
Finally, some businesses need to have full insight into how the remote desktop session activity of various users impacts the performance of their terminal servers. They may also need to record terminal server sessions to satisfy auditing and compliance or security policies on their network. In these scenarios, our Remote Desktop Commander Suite is the best tool for the job.
After administrators deploy a lightweight agent service on each terminal server or WVD host, the main Remote Desktop Reporter Service collects all of this information into a central SQL database, such as CPU and Memory utilization per process and per user session, TCP/UDP network activity per user and per process, and screenshots with window captions for added context. Managers and server admins can then review this activity to spot performance problems and/or any user activity that violates Acceptable Use Policies on corporately owned IT assets.
Want To Learn More?
Reach out so that we can provide you even more information. You can request a demo, request a quote, or you can even contact us via phone.
You may want to see which users are logged on to your Windows 2016 Server at any given time and may want to logoff a user. Users can be “active” on a server or in a “disconnected” session status which means they disconnected from the server but didn’t log off. Since disconnected sessions continue to utilize server resources, we recommend you enable a group policy to log off disconnected sessions automatically after a specific time period such as 5 minutes or X hours – easiest method is to enable a group policy to set session time limits for all users as follows:
- Cmd prompt, gpedit.msc
- Computer Configuration, Admin Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Session Time Limits
- Enable appropriate group policies and modify as needed
- We recommend setting this one because it will prevent disconnected sessions from consuming server resources — “Set time limit for disconnect sessions”
- After modifying group policies, you can force an update without rebooting by typing “gpupdate /force” at cmd prompt
By default, we now release Windows 2016 Servers with the disconnected session limit set at 5 minutes. We strongly recommend keeping this group policy at 5 minutes or change it to another time amount that you want. We don’t enable a default policy to log off “idle” sessions after X period of time but it is recommended that you enable this at X hours or X days.
To see detail on each users session [how long it has been active, if disconnected or idle, etc.], you can open a command prompt and type in “quser” which will show each user with session stats.
We haven’t seen this happen very frequently, but if a user logs on to the server and the screen remains black, it is likely because the user has an existing disconnected session that has not be fully logged off. To resolve this, log into the server as an Administrator and log off the User’s disconnected session. When the User logs in again, they should see their full desktop session without any issues.
Steps to view and log off users:
- Login as Administrator or account with administrator rights
- Open Task Manager by right clicking the bottom tool bar
- Click on “More” or “Detail” to view all tabs of Task Manager
- Go to the “Users” tab which will show the users that are logged on the server
- Right click on a username and select “Log Off”
We recommend that users be educated to log off from the server when their tasks are completed [start, click on username, select log-off or sign-off] instead of just disconnecting the session by clicking the X in the upper right corner which doesn’t log the user off and only disconnects the session.
In this article, we’ll describe how to get and audit the RDP connection logs in Windows. The RDP connection logs allow RDS terminal servers administrators to get information about which users logged on to the server when a specific RDP user logged on and ended up the session, and from which device [DNS name or IP address] the user logged on.
The article is applicable when analyzing RDP logs for both Windows Server 2022/2019/2016/2012R2 and to desktop editions [Windows 11, 10, and 8.1].
RDP Connection Events in Windows Event Viewer
When a user connects to a Remote Desktop-enabled or RDS host, information about these events is stored in the Event Viewer logs [eventvwr.msc]. Consider the main stages of RDP connection and related events in the Event Viewer, which may be of interest to the administrator
- Network Connection;
- Authentication;
- Logon;
- Session Disconnect/Reconnect;
- Logoff.
Network Connection – establishing a network connection to a server from the user’s RDP client. It is the event with the EventID 1149 [Remote Desktop Services: User authentication succeeded]. If this event is found, it doesn’t mean that user authentication has been successful. This log is located in “Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational”. Enable the log filter for this event [right-click the log -> Filter Current Log -> EventId 1149].
You can list all RDP connection attempts with PowerShell:
$RDPAuths = Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' -FilterXPath '*[System[EventID=1149]]' [xml[]]$xml=$RDPAuths|Foreach{$_.ToXml[]} $EventData = Foreach [$event in $xml.Event] { New-Object PSObject -Property @{ TimeCreated = [Get-Date [$event.System.TimeCreated.SystemTime] -Format 'yyyy-MM-dd hh:mm:ss K'] User = $event.UserData.EventXML.Param1 Domain = $event.UserData.EventXML.Param2 Client = $event.UserData.EventXML.Param3 }
} $EventData | FT
Then you will get an event list with the history of all RDP connections to this server. The logs provide a username, a domain [in this case the Network Level Authentication is used; if NLA is disabled, the event description looks differently], and the IP address of the user’s computer.
Authentication shows whether an RDP user has been successfully authenticated on the server or not. The log is located under Windows -> Security. So, you may be interested in the events with the EventID 4624 [An account was successfully logged on] or 4625 [An account failed to log on].
Please, pay attention to the LogonType value in the event description.
- LogonType = 10 or 3 — if the Remote Desktop service has been used to create a new session during log on;
- LogonType = 7, means that a user has reconnected to the existing RDP session;
- LogonType = 5 – RDP connection to the server console [in the mstsc.exe /admin mode].
In this case, the user name is contained in the event description in the Account Name field, the computer name in the Workstation Name, and the user IP in the Source Network Address.
You can get a list of successful RDP authentication events [EventID 4624] using this PowerShell command:
Get-EventLog security -after [Get-date -hour 0 -minute 0 -second 0] | ?{$_.eventid -eq 4624 -and $_.Message -match 'logon type:\s+[10]\s'} | Out-GridView
Logon refers to an RDP login to Windows. EventID 21 – this event appears after a user has been successfully authenticated [Remote Desktop Services: Session logon succeeded]. This events are located in the “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”. As you can see, here you can find the ID of a user RDP session — Session ID.
EventID – 21 [Remote Desktop Services: Shell start notification received] indicates that the Explorer shell has been successfully started [the Windows desktop appears in the user’s RDP session].
Session Disconnect/Reconnect – session disconnection and reconnection events have different IDs depending on what caused the user disconnection [disconnection due to inactivity set in timeouts for RDP sessions, Disconnect option has been selected by the user in the session, RDP session ended by another user or an administrator, etc.]. You can find these events in the Event Viewer under “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”. Let’s consider the RDP Event IDs that might be useful:
- EventID – 24 [Remote Desktop Services: Session has been disconnected] –a user has disconnected from the RDP session;
- EventID – 25 [Remote Desktop Services: Session reconnection succeeded] – a user has reconnected to the existing RDP session on the server;
- EventID – 39 [Session has been disconnected by session ] – a user has disconnected from the RDP session by selecting the corresponding menu option [instead of just closing the RDP client window]. If the session IDs are different, a user has been disconnected by another user [or administrator];
- EventID – 40 [Session has been disconnected, reason code ]. Here you must check the disconnection reason code in the event description. For example:
- reason code 0 [No additional information is available] means that a user has just closed the RDP client window;
- reason code 5 [The client’s connection was replaced by another connection] means that a user has reconnected to the previous RDP session;
- reason code 11 [User activity has initiated the disconnect] a user has clicked the Disconnect button in the start menu.
EventID 4778 in Windows -> Security log [A session was reconnected to a Window Station]. A user has reconnected to an RDP session [a user is assigned a new LogonID].
EventID 4779 in “Windows -> Security” log [A session was disconnected from a Window Station]. A user has been disconnected from an RDP session.
Logoff refers to the end of a user session. It is logged as the event with the EventID 23 [Remote Desktop Services: Session logoff succeeded] under “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”.
At the same time the EventID 4634 [An account was logged off] appears in the Security log.
The EventID 9009 [The Desktop Window Manager has exited with code ] in the System log means that a user has initiated logoff from the RDP session with both the window and the graphic shell of the user have been terminated.
EventID 4647 — User-initiated logoff
Getting Remote Desktop Login History with PowerShell
Here is a short PowerShell script that lists the history of all RDP connections for the current day from the terminal RDS server event logs. The resulting table shows the connection time, the client’s IP address [DNS computername], and the remote user name [if necessary, you can include other LogonTypes in the report].
Get-EventLog -LogName Security -after [Get-date -hour 0 -minute 0 -second 0]| ?{[4624,4778] -contains $_.EventID -and $_.Message -match 'logon type:\s+[10]\s'}| %{ [new-object -Type PSObject -Property @{ TimeGenerated = $_.TimeGenerated ClientIP = $_.Message -replace '[?smi].*Source Network Address:\s+[[^\s]+]\s+.*','$1' UserName = $_.Message -replace '[?smi].*\s\sAccount Name:\s+[[^\s]+]\s+.*','$1' UserDomain = $_.Message -replace '[?smi].*\s\sAccount Domain:\s+[[^\s]+]\s+.*','$1' LogonType = $_.Message -replace '[?smi].*Logon Type:\s+[[^\s]+]\s+.*','$1' }] } | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP ` , @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} ` , @{N='LogType';E={ switch [$_.LogonType] { 2 {'Interactive - local logon'} 3 {'Network connection to shared folder]'} 4 {'Batch'} 5 {'Service'} 7 {'Unlock [after screensaver]'} 8 {'NetworkCleartext'} 9 {'NewCredentials [local impersonation process under existing connection]'} 10 {'RDP'} 11 {'CachedInteractive'} default {"LogType Not Recognised: $[$_.LogonType]"} }
}}
You can export RDP connection logs from the Event Viewer to a CSV file [for further analysis in an Excel spreadsheet]. You can export the log from the Event Viewer GUI [assuming Event Viewer logs are not cleared] or via the command prompt:
WEVTUtil query-events Security > c:\ps\rdp_security_log.txt
Or with PowerShell:
get-winevent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Export-Csv c:\ps\rdp_connection_log.txt -Encoding UTF8
If your users connect to corporate RDS hosts through the Remote Desktop Gateway, you can check the user connection logs in the Microsoft-Windows-TerminalServices-Gateway log by the EventID 302. For example, the following PowerShell script will display the specified user’s connection history through RD Gateway:
$rdpusername="b.smith" $properties = @[ @{n='User';e={$_.Properties[0].Value}}, @{n='Source IP Adress';e={$_.Properties[1].Value}}, @{n='TimeStamp';e={$_.TimeCreated}} @{n='Target RDP host';e={$_.Properties[3].Value}} ]
[Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-TerminalServices-Gateway/Operational';ID='302'} | Select-Object $properties] -match $rdpusername
You can display the list of current remote sessions on your RDS host with the command:
qwinsta
The command returns the session ID, the USERNAME, and the session state [Active/Disconnect]. This command is useful when you need to get the user’s RDP session ID when using shadow Remote Desktop connections.
You can display the list of the running processes in the specific RDP session [the session ID is specified]:
qprocess /id:5
Outgoing RDP Connection Logs in Windows
You can also view outgoing RDP connection logs on the client side. They are available in the following event log: Application and Services Logs -> Microsoft -> Windows -> TerminalServices-ClientActiveXCore -> Microsoft-Windows-TerminalServices-RDPClient -> Operational.
For example, EventID 1102 occurs when a user connects to a remote Windows Server RDS host or a Windows 10/11 computer with RDP enabled [desktop Windows editions also support multiple simultaneous RDP connections].
The client has initiated a multi-transport connection to the server 192.168.13.201.The following RDP script will display the history of RDP client connections on the current computer:
$properties = @[ @{n='TimeStamp';e={$_.TimeCreated}} @{n='LocalUser';e={$_.UserID}} @{n='Target RDP host';e={$_.Properties[1].Value}} ]
Get-WinEvent -FilterHashTable @{LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational';ID='1102'} | Select-Object $properties
The script returns the SIDs of the users who initiated RDP connections on this computer, as well as the DNS names/IP addresses of the Remote Desktop hosts that the users connected to. You can convert SIDs to usernames as follows.
Also, you can check the RDP connection history in the user’s registry.